Because APTs work in the shadows, cybersecurity researchers have difficulty pinning down the identities and sponsors behind each attack. Based on the software used and attributed campaigns, analysts at the MITRE Corporation have listed more than 90 different APT groups around the world, covering both freelance and government-sponsored groups.2
Many have been operating for years, which speak to APT groups’ long-term goals. For instance, China-based APT group Aoqin Dragon has been “linked to attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013.”3
APT attacks occur in multiple stages, with each stage incrementally advancing the APT’s presence in one’s network.
● Infiltration: In the initial stage, the APT uses web assets, network resources, phishing emails, or authorised human users to enter the system. To hoodwink users into granting access to APTs, the latter may pull off social engineering attacks, using spear-phishing emails to inject malware into the system.4
● Foothold: The APT installs a backdoor that opens unauthorised access to the victim’s system; they can now gain entry at leisure. One recent exploit used legitimate NVIDIA software to launch the PCShare backdoor on the system, with the users none the wiser.5
● Lateral movement: Once inside, the APT attacker moves deeper into the network in search of sensitive data and other high-value assets.6 As APTs are playing the long game, this phase may involve privilege escalation7 to get better access to more parts of the network without triggering an alarm. At this stage, the APT can be very difficult to detect because it’s often disguised as normal network traffic.
● Exfiltration: The APT will store stolen data inside the system, but they’ll have to get it out sometime. In this stage, attackers will transfer the data off-premises, but will need to disguise the transfer or distract security in the process, often by pulling off a DDoS attack to keep them occupied.